I have a wide scope of interests in IT, which includes hyper-v private cloud, remote desktop services, server clustering, PKI, network security, routing & switching, enterprise network management, MPLS VPN on enterprise network etc. Started this blog for my quick reference and to share technical knowledge with our team members.

Tuesday, August 7, 2012

Setting up Edge Transport Server in Exchange 2010

I was recently tasked to setup new Exchange 2010 for my organization. There is a special Exchange role called "Edge Transport Server (ETS)" that is meant for transporting messages with external networks, such as Internet. According to Microsoft, the Edge Transport Server in Exchange 2010 is secured by default and hence no need for additional hardening, such as using Security Configuration Wizard (SCW) template.

As ETS is typically placed on the network perimeter, it should not be joined to any Active Directory Domain to reduce attack surface. Ironically, this is not supported on Server Core. To link the ETS to the Exchange Organization through Edge Synchronization, there is a process called "Edge Subscription".

The process can be summarized as follows:

Install the Edge Transport server role.

Verify that the Hub Transport servers and the Edge Transport server can locate one another by using Domain Name System (DNS) name resolution.

Configure the objects and settings to be replicated to the Edge Transport server.

On the Edge Transport server, create and export an Edge Subscription file by using "New-EdgeSubscription" cmdlet.

Copy the Edge Subscription file to a Hub Transport server or a file share that's accessible from the Active Directory site that has your Hub Transport servers.

Import the Edge Subscription file to your Active Directory site to which you want to subscribe your Edge Transport server. Use "Get-Help New-EdgeSubscription -examples" for reference.

Typically, the ETS should be dual-homed with internal network interface connecting to the Hub Transport Server and external interface to the Internet. You may test the edge subscription by running "Test-EdgeSychronization" on the Exchange Management Shell (EMS) of Hub Transport Server. Once configured successfully, you can now configure the "MX" of your domain name to the external network addresss of the ETS. For high availability, setup two or more ETS on your network perimeter.

For further information, refer to this Technet article. For information on limiting message size and file attachment limits, refer to this link.